发生硬断电和 UPS 故障后，ZFS 池处于我无法理解的状态：

$ zpool status -c serial
  pool: storage
 state: DEGRADED
status: One or more devices could not be used because the label is missing or
        invalid.  Sufficient replicas exist for the pool to continue
        functioning in a degraded state.
action: Replace the device using 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-4J
  scan: scrub repaired 0B in 1 days 10:40:40 with 0 errors on Wed Apr  2 10:40:42 2025
config:

        NAME                                                  STATE     READ WRITE CKSUM                serial
        storage                                               DEGRADED     0     0     0
          raidz2-0                                            DEGRADED     0     0     0
            8844532865098720143                               FAULTED      0     0     0  was /dev/sda1  ZL2AJ3S10000C1111G0H
            scsi-35000c500cafcbb67                            ONLINE       0     0     0  ZL2AJ3S10000C1111G0H
            scsi-35000c500cafc9a63                            ONLINE       0     0     0  ZL2AKR3F0000C1128SV6
            scsi-35000c500cafcb303                            ONLINE       0     0     0  ZL2AKQVX0000C1143G62
            scsi-35000c500cafcff33                            ONLINE       0     0     0  ZL2AKAG10000C11445AW
            scsi-35000c500cafc392b                            ONLINE       0     0     0  ZL2AKCWB0000C1143ARJ
            wwn-0x5000c500cafa8287                            ONLINE       0     0     0  ZL2AHSSL0000C107BQWN
            scsi-35000c500cafbec03                            ONLINE       0     0     0  ZL2AGE6X0000C1122SME
            7647119559265938125                               FAULTED      0     0     0  was /dev/sdi1  ZL2AGE6X0000C1122SME
            scsi-35000c500cafca18b                            ONLINE       0     0     0  ZL2AKR0B0000C1128RNJ
            scsi-35000c500cafc29c3                            ONLINE       0     0     0  ZL2AGDN30000C1140NTP
            scsi-35000c500cafbe293                            ONLINE       0     0     0  ZL2AKDSM0000C11278YB
          raidz2-1                                            DEGRADED     0     0     0
            scsi-SSEAGATE_ST16000NM002G_ZL2AKBXB0000C1126C6X  ONLINE       0     0     0  ZL2AKBXB0000C1126C6X
            1470086598115969130                               UNAVAIL      0     0     0  was /dev/sdy1          20342A6158FC
            wwn-0x5000c500cae0af8b                            ONLINE       0     0     0  ZL29T97Q0000C107188W
            12722321230162544658                              FAULTED      0     0     0  was /dev/sdl1  ZL2AKDSM0000C11278YB
            scsi-35000c500cafc3be7                            ONLINE       0     0     0  ZL2AJJZF0000C1143AH2
            scsi-35000c500cafc611f                            ONLINE       0     0     0  ZL2AKC6Z0000C11438R8
            scsi-35000c500cafcfb97                            ONLINE       0     0     0  ZL2AHY5R0000C11441Z5
            scsi-35000c500cafc8663                            ONLINE       0     0     0  ZL2AKBNX0000C1128RLR
            scsi-35000c500cafc9fa3                            ONLINE       0     0     0  ZL2AKR0Y0000C1128RN1
            scsi-35000c500cafc96b3                            ONLINE       0     0     0  ZL2AKR6T0000C1128SQP
            scsi-35000c500cafc2f23                            ONLINE       0     0     0  ZL2AK1NP0000C1143FXB
            scsi-35000c500cafc4ccf                            ONLINE       0     0     0  ZL2AKCKG0000C1143ETM
        logs
          nvme-INTEL_SSDPED1K375GA_PHKS01530050375AGN         ONLINE       0     0     0    PHKS01530050375AGN
        cache
          sdu                                                 FAULTED      0     0     0  corrupted data  ZL2AKR6T0000C1128SQP
          sdw                                                 FAULTED      0     0     0  corrupted data  ZL2AK1NP0000C1143FXB

上述状态有很多我不明白的地方：

1. 所有故障磁盘都具有与某个在线磁盘相同的序列号
2. UNAVAIL 磁盘序列号是我用于缓存的两个 SSD 之一的序列号，而不是用于池的 HDD 之一的序列号
3. 两个故障缓存磁盘的序列号是两个存储硬盘的序列号

是什么原因导致池容量在这种状态下减少？池容量还能恢复吗？我考虑过尝试这里描述的步骤，但我甚至搞不清楚哪些磁盘出了问题。这篇文章描述的简单步骤能解决我的情况吗？我真的很需要帮助，先行感谢。

不知何故，我们的 iDRAC 条目从 DNS 中丢失了。

有没有办法从节点上运行的 Linux（RHEL 8）发现 iDRAC IP？

重新启动来检查物理控制台不是一个选择。

我的 Dovecot imap 服务器使用 deflate 压缩进行连接。如何禁用它进行测试？我尝试添加

plugin {
  imap_compress_deflate_level = 0
}

到 /etc/dovecot/conf.d/ 中的自定义配置，但它不起作用。

我正在尝试了解我的 Ubuntu 服务器上的进程 exe

sudo ls -l /proc/6293/exe 
lrwxrwxrwx 1 jenkins 65533 0 апр  4 09:03 /proc/6293/exe -> /usr/local/bin/node

当我在垃圾箱里寻找

/usr/local/bin# ls node
ls: cannot access 'node': No such file or directory

这个符号链接实际上指向什么？

我真的需要一些帮助，弄清楚如何安全地扩展我的 Linux 服务器虚拟机上的根分区。我已经为虚拟机的虚拟磁盘添加了 50GB 的额外空间，并且可以使用 fdisk 查看它，但我不确定如何在不破坏系统的情况下分配它。

这是我当前的分区布局：

home-srv-01:~ #  lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda      8:0    0  100G  0 disk 
├─sda1   8:1    0    8M  0 part 
├─sda2   8:2    0 30.8G  0 part /var
│                               /usr/local
│                               /tmp
│                               /boot/grub2/i386-pc
│                               /boot/grub2/x86_64-efi
│                               /opt
│                               /srv
│                               /.snapshots
│                               /root
│                               /
├─sda3   8:3    0 17.2G  0 part /home
└─sda4   8:4    0    2G  0 part [SWAP]
sr0     11:0    1 15.3G  0 rom  
home-srv-01:~ #

home-srv-01:~ # fdisk -l
GPT PMBR size mismatch (104857599 != 209715199) will be corrected by write.
Disk /dev/sda: 100 GiB, 107374182400 bytes, 209715200 sectors
Disk model: VMware Virtual S
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: A1C8759F-D45C-4FB4-A365-1402AD4516B3

Device         Start       End  Sectors  Size Type
/dev/sda1       2048     18431    16384    8M BIOS boot
/dev/sda2      18432  64600063 64581632 30.8G Linux filesystem
/dev/sda3   64600064 100661247 36061184 17.2G Linux filesystem
/dev/sda4  100661248 104857566  4196319    2G Linux swap
home-srv-01:~ # 

目标是将 Btrfs 根分区 (sda2) 扩展到新的可用空间，同时不丢失 /home (sda3 XFS) 上的数据，也不导致系统无法启动。可惜的是，我之前的尝试导致了启动问题，所以现在我得格外小心了。

步骤回顾：

1. 备份了/home（/dev/sda3）中的所有数据。
2. 启动到实时 CD/USB 环境。
3. 将数据从 移动/home到外部磁盘。
4. 跑去swapoff /dev/sda4删了/dev/sda4。
5. 已删除/dev/sda3（这会在 旁边创建可用空间/dev/sda2）。
6. /dev/sda2使用时调整了 Btrfs 文件系统的大小btrfs filesystem resize max /。
7. 从备份中重新创建/dev/sda3并恢复数据。/home
8. 重新创建/dev/sda4并运行swapon /dev/sda4。
9. 一旦完成，系统将不再启动。

非常感谢您的任何建议或步骤建议。我非常感激您的指导。

六旬老人

我正在尝试禁用此服务器上的 Jenins，因为我们不再需要它

ps -feww | grep jenkins

节目

jenkins     6646    6089  0 08:53 ?        00:00:00 npm start
jenkins     9180    6646 29 08:53 ?        01:19:15 next-server (v14.2.5)
jenkins    15769   12444  0 08:53 ?        00:00:02 /shared/argocd-dex rundex
jumicha      587438  544583  0 13:18 pts/0    00:00:00 grep --color=auto jenkins

下一步该怎么做？如何找出启动了 jenkins 的原因？

ps -p 9180 -o pid,vsz=MEMORY -o user,group=GROUP -o comm,args=ARGS
    PID MEMORY USER     GROUP    COMMAND         ARGS
   9180 21735356 jenkins 65533   next-server (v1 next-server (v14.2.5)

启动 next-server 的是什么东西？

pstree -pn 9180
next-server (v1(9180)─┬─{next-server (v1}(9189)
                      ├─{next-server (v1}(9190)
                      ├─{next-server (v1}(9191)
                      ├─{next-server (v1}(9192)
                      ├─{next-server (v1}(9193)
                      ├─{next-server (v1}(9214)
                      ├─{next-server (v1}(12061)
                      ├─{next-server (v1}(12062)
                      ├─{next-server (v1}(12063)
                      └─{next-server (v1}(12064)

防火墙服务中应用了 Fail2ban 和 Wireguard 这两个服务的规则。每次我重新加载防火墙服务时，规则都会丢失。如何在两次重新加载之间保留这些规则？

# firewall-cmd --get-all-rules --direct
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT
ipv4 filter FORWARD 1 -i wg -o wg -j ACCEPT
ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

Rocky Linux 9

我花了几个小时尝试在 Debian 12 上正确配置 ssh MFA，使用公钥或在 OTP 代码之前询问的密码。

目前我已经能够配置 publickey+MFA 和 password+MFA，但无法配置 publickey|password+MFA

公钥+MFA

• 编辑/etc/pam.d/sshd

  • 评论@include common-auth
  • auth required pam_google_authenticator.so在后面添加

• 创建/etc/ssh/sshd_config.d/mfa.conf包含以下内容的文件

UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

通过此配置，我可以使用 publickey+MFA 登录，但是当使用密码时，我得到一个Permission denied (publickey)

密码+MFA

• 编辑/etc/pam.d/sshd

  • 保持@include common-auth
  • auth required pam_google_authenticator.so在后面添加

• 创建/etc/ssh/sshd_config.d/mfa.conf包含以下内容的文件

UsePAM yes
ChallengeResponseAuthentication yes

通过此配置，我可以使用密码+MFA 登录，但是使用公钥身份验证时不会要求输入 OTP 代码

我尝试了许多不同的配置并做了大量研究，但我找不到按照我想要的方式配置身份验证。

例如

AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive

我可以使用 publickey+MFA 正确登录，但是当使用密码时，即使我使用的是正确的密码，也会出现“权限被拒绝”的情况。

我甚至尝试使用自定义 pam 配置文件，如下所示

auth    substack                        pam_unix.so
auth    required                        pam_google_authenticator.so
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

但我试过的所有方法都不起作用

我不明白为什么配置起来这么困难，因为 sshd 本身就可以处理这个问题，但是当添加 OTP MFA 时，它不能在 sshd basic auth 之后直接插入

如果有人找到实现该配置的方法我会很高兴听到这个消息。

提前致谢

机器：Linux Debian 12.8

两个以太网接口

• enp2s0-连接到 ISP 路由器
• enp4s0-连接到 LAN 交换机

桥接后，我可以从 LAN 中的任何机器访问互联网，但是，我无法从桥接机器访问互联网。

如果我关闭网桥，机器上的互联网就会恢复，但它当然会失去用途，因为它会失去两个以太网接口之间的连接。

• 我并不一定需要网桥，我只需要将此设备作为我的网络的安全设备并使流量通过它。
• 我希望自己的机器可以连接到互联网以及局域网中的任何其他机器。
• 如果有帮助的话，我在同一台机器上还有一个名为 wlp3s0 的无线接口
• 我还安装了防火墙（无论启用/禁用，结果总是一样的）

感谢您的帮助。

编辑：桥的/etc/network/interfaces段：

auto br0
iface br0 inet static
        bridge_ports enp2s0 enp4s0
        address 192.168.22.2
        broadcast 192.168.22.255
        netmask 255.255.255.0
        gateway 192.168.22.1

我在主机（Fedora 41）上使用 Mullvad VPN，它设置了一个 WireGuard 接口，wg0-mullvad我希望来自和到命名空间的流量bl绕过它，最终目标是从内部连接到我公司的 AnyConnect VPN bl，然后通过 RDP 连接到我的办公室计算机，同时我的其余互联网流量都经过 Mullvad。

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:11:c0:d6 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp1s0
       valid_lft 81301sec preferred_lft 81301sec
    inet6 fec0::e777:52d6:5436:4997/64 scope site dynamic noprefixroute 
       valid_lft 86366sec preferred_lft 14366sec
    inet6 fe80::bc4e:6885:3d23:b51b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: veth-bl-root@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 62:fb:a5:45:d4:e3 brd ff:ff:ff:ff:ff:ff link-netns bl
    inet 192.168.11.2/24 scope global veth-bl-root
       valid_lft forever preferred_lft forever
    inet6 fe80::60fb:a5ff:fe45:d4e3/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: vpn0: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1207 qdisc fq_codel state DOWN group default qlen 500
    link/none 
10: wg0-mullvad: <POINTOPOINT,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.136.199.175/32 scope global wg0-mullvad
       valid_lft forever preferred_lft forever

veth-bl-root是连接根命名空间和我的命名空间的虚拟以太网接口bl。你可以忽略vpn0。这是我提到的公司 VPN，目前，我只能在 Mullvad 断开连接时使用它。

我按照本教程设置了命名空间并将其连接到 Internet，这意味着我启用了 IP 转发、数据包转发和 IP 伪装。当 Mullvad VPN 断开连接时，它可以工作，但是当我启用 VPN 时，请求会超时。我猜这是因为 IP 伪装直到数据包通过后才会发生enp1s0，而 Mullvad VPN 可以防止这种情况发生：

$ ip route get 8.8.8.8 from 192.168.11.2
8.8.8.8 from 192.168.11.2 dev wg0-mullvad table 1836018789 uid 1000 
    cache

虽然实际上wg0-mullvad这是默认路线，但似乎并没有这样设置。

$ ip route
default via 10.0.2.2 dev enp1s0 proto dhcp src 10.0.2.15 metric 100 
10.0.2.0/24 dev enp1s0 proto kernel scope link src 10.0.2.15 metric 100 
10.64.0.1 dev wg0-mullvad proto static 
192.168.11.0/24 dev veth-bl-root proto kernel scope link src 192.168.11.2

$ ip rule list
0:  from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0x6d6f6c65 lookup 1836018789
32766:  from all lookup main
32767:  from all lookup default

$ ip route show table 1836018789
default dev wg0-mullvad proto static

由于它同时使用数据包标记和自己的路由表，因此我尝试了两种分别使用这两种方法的方法。

尝试修复

单独的路由表

首先，我尝试创建一个新的路由表，其中唯一的路由是通过enp1s0，并添加了一条规则，指定来自命名空间 IP 地址的所有流量都应使用该表。

$ ip route show table bl
default via 10.0.2.15 dev enp1s0

$ ip rule
0:  from all lookup local
32763:  from 192.168.11.2/24 lookup bl
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0x6d6f6c65 lookup 1836018789
32766:  from all lookup main
32767:  from all lookup default

由于它优先于 Mullvad 的规则，我希望它能够发挥作用。事实上，ip route get它很有希望：

$ ip route get 8.8.8.8 from 192.168.11.2
8.8.8.8 from 192.168.11.2 dev enp1s0 table bl uid 1000 
    cache

不幸的是，请求超时了。

$ sudo ip netns exec bl traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

$ sudo ip netns exec bl ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2076ms

使用ping -I 192.168.11.2 8.8.8.8同样失败：

$ sudo ping -I 192.168.11.2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.11.2 : 56(84) bytes of data.
From 192.168.11.2 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.2 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.2 icmp_seq=3 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2075ms

tcpdump -n -i veth-bl-root icmp抓到了数据包，但tcpdump -n -i enp1s0 icmp什么也没找到。数据包仍然经过wg0-mullvad：

# This is what happened when running `ping -c 3 8.8.8.8`.
$ sudo tcpdump -n -i wg0-mullvad icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0-mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
08:55:53.448220 IP 10.136.199.175 > 10.64.0.1: ICMP echo request, id 13627, seq 601, length 50
08:55:53.532425 IP 10.64.0.1 > 10.136.199.175: ICMP echo reply, id 13627, seq 601, length 50
08:55:59.449654 IP 10.136.199.175 > 10.64.0.1: ICMP echo request, id 13627, seq 602, length 50
08:55:59.534057 IP 10.64.0.1 > 10.136.199.175: ICMP echo reply, id 13627, seq 602, length 50
08:56:05.451552 IP 10.136.199.175 > 10.64.0.1: ICMP echo request, id 13627, seq 603, length 50
08:56:05.535728 IP 10.64.0.1 > 10.136.199.175: ICMP echo reply, id 13627, seq 603, length 50
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

nft list ruleset这是此阶段的输出：

table inet firewalld {
    ct helper helper-netbios-ns-udp {
        type "netbios-ns" protocol udp
        l3proto ip
    }

    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_POLICIES
    }

    chain mangle_PREROUTING_POLICIES {
        iifname "enp1s0" jump mangle_PRE_policy_allow-host-ipv6
        iifname "enp1s0" jump mangle_PRE_FedoraWorkstation
        iifname "enp1s0" return
        jump mangle_PRE_policy_allow-host-ipv6
        jump mangle_PRE_FedoraWorkstation
        return
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_POLICIES
    }

    chain nat_PREROUTING_POLICIES {
        iifname "enp1s0" jump nat_PRE_policy_allow-host-ipv6
        iifname "enp1s0" jump nat_PRE_FedoraWorkstation
        iifname "enp1s0" return
        jump nat_PRE_policy_allow-host-ipv6
        jump nat_PRE_FedoraWorkstation
        return
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_POLICIES
    }

    chain nat_POSTROUTING_POLICIES {
        iifname "enp1s0" oifname "enp1s0" jump nat_POST_FedoraWorkstation
        iifname "enp1s0" oifname "enp1s0" return
        oifname "enp1s0" jump nat_POST_FedoraWorkstation
        oifname "enp1s0" return
        iifname "enp1s0" jump nat_POST_FedoraWorkstation
        iifname "enp1s0" return
        jump nat_POST_FedoraWorkstation
        return
    }

    chain nat_OUTPUT {
        type nat hook output priority dstnat + 10; policy accept;
        jump nat_OUTPUT_POLICIES
    }

    chain nat_OUTPUT_POLICIES {
        oifname "enp1s0" jump nat_OUT_FedoraWorkstation
        oifname "enp1s0" return
        jump nat_OUT_FedoraWorkstation
        return
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        jump filter_INPUT_POLICIES
        reject with icmpx admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_POLICIES
        reject with icmpx admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_OUTPUT_POLICIES
    }

    chain filter_INPUT_POLICIES {
        iifname "enp1s0" jump filter_IN_policy_allow-host-ipv6
        iifname "enp1s0" jump filter_IN_FedoraWorkstation
        iifname "enp1s0" reject with icmpx admin-prohibited
        jump filter_IN_policy_allow-host-ipv6
        jump filter_IN_FedoraWorkstation
        reject with icmpx admin-prohibited
    }

    chain filter_FORWARD_POLICIES {
        iifname "enp1s0" oifname "enp1s0" jump filter_FWD_FedoraWorkstation
        iifname "enp1s0" oifname "enp1s0" reject with icmpx admin-prohibited
        iifname "enp1s0" jump filter_FWD_FedoraWorkstation
        iifname "enp1s0" reject with icmpx admin-prohibited
        oifname "enp1s0" jump filter_FWD_FedoraWorkstation
        oifname "enp1s0" reject with icmpx admin-prohibited
        jump filter_FWD_FedoraWorkstation
        reject with icmpx admin-prohibited
    }

    chain filter_OUTPUT_POLICIES {
        oifname "enp1s0" jump filter_OUT_FedoraWorkstation
        oifname "enp1s0" return
        jump filter_OUT_FedoraWorkstation
        return
    }

    chain filter_IN_FedoraWorkstation {
        jump filter_IN_FedoraWorkstation_pre
        jump filter_IN_FedoraWorkstation_log
        jump filter_IN_FedoraWorkstation_deny
        jump filter_IN_FedoraWorkstation_allow
        jump filter_IN_FedoraWorkstation_post
        meta l4proto { icmp, ipv6-icmp } accept
    }

    chain filter_IN_FedoraWorkstation_pre {
    }

    chain filter_IN_FedoraWorkstation_log {
    }

    chain filter_IN_FedoraWorkstation_deny {
    }

    chain filter_IN_FedoraWorkstation_allow {
        ip6 daddr fe80::/64 udp dport 546 accept
        tcp dport 22 accept
        udp dport 137 ct helper set "helper-netbios-ns-udp"
        udp dport 137 accept
        udp dport 138 accept
        ip daddr 224.0.0.251 udp dport 5353 accept
        ip6 daddr ff02::fb udp dport 5353 accept
        udp dport 1025-65535 accept
        tcp dport 1025-65535 accept
    }

    chain filter_IN_FedoraWorkstation_post {
    }

    chain filter_OUT_FedoraWorkstation {
        jump filter_OUT_FedoraWorkstation_pre
        jump filter_OUT_FedoraWorkstation_log
        jump filter_OUT_FedoraWorkstation_deny
        jump filter_OUT_FedoraWorkstation_allow
        jump filter_OUT_FedoraWorkstation_post
    }

    chain filter_OUT_FedoraWorkstation_pre {
    }

    chain filter_OUT_FedoraWorkstation_log {
    }

    chain filter_OUT_FedoraWorkstation_deny {
    }

    chain filter_OUT_FedoraWorkstation_allow {
    }

    chain filter_OUT_FedoraWorkstation_post {
    }

    chain nat_OUT_FedoraWorkstation {
        jump nat_OUT_FedoraWorkstation_pre
        jump nat_OUT_FedoraWorkstation_log
        jump nat_OUT_FedoraWorkstation_deny
        jump nat_OUT_FedoraWorkstation_allow
        jump nat_OUT_FedoraWorkstation_post
    }

    chain nat_OUT_FedoraWorkstation_pre {
    }

    chain nat_OUT_FedoraWorkstation_log {
    }

    chain nat_OUT_FedoraWorkstation_deny {
    }

    chain nat_OUT_FedoraWorkstation_allow {
    }

    chain nat_OUT_FedoraWorkstation_post {
    }

    chain nat_POST_FedoraWorkstation {
        jump nat_POST_FedoraWorkstation_pre
        jump nat_POST_FedoraWorkstation_log
        jump nat_POST_FedoraWorkstation_deny
        jump nat_POST_FedoraWorkstation_allow
        jump nat_POST_FedoraWorkstation_post
    }

    chain nat_POST_FedoraWorkstation_pre {
    }

    chain nat_POST_FedoraWorkstation_log {
    }

    chain nat_POST_FedoraWorkstation_deny {
    }

    chain nat_POST_FedoraWorkstation_allow {
    }

    chain nat_POST_FedoraWorkstation_post {
    }

    chain filter_FWD_FedoraWorkstation {
        jump filter_FWD_FedoraWorkstation_pre
        jump filter_FWD_FedoraWorkstation_log
        jump filter_FWD_FedoraWorkstation_deny
        jump filter_FWD_FedoraWorkstation_allow
        jump filter_FWD_FedoraWorkstation_post
    }

    chain filter_FWD_FedoraWorkstation_pre {
    }

    chain filter_FWD_FedoraWorkstation_log {
    }

    chain filter_FWD_FedoraWorkstation_deny {
    }

    chain filter_FWD_FedoraWorkstation_allow {
        oifname "enp1s0" accept
    }

    chain filter_FWD_FedoraWorkstation_post {
    }

    chain nat_PRE_FedoraWorkstation {
        jump nat_PRE_FedoraWorkstation_pre
        jump nat_PRE_FedoraWorkstation_log
        jump nat_PRE_FedoraWorkstation_deny
        jump nat_PRE_FedoraWorkstation_allow
        jump nat_PRE_FedoraWorkstation_post
    }

    chain nat_PRE_FedoraWorkstation_pre {
    }

    chain nat_PRE_FedoraWorkstation_log {
    }

    chain nat_PRE_FedoraWorkstation_deny {
    }

    chain nat_PRE_FedoraWorkstation_allow {
    }

    chain nat_PRE_FedoraWorkstation_post {
    }

    chain mangle_PRE_FedoraWorkstation {
        jump mangle_PRE_FedoraWorkstation_pre
        jump mangle_PRE_FedoraWorkstation_log
        jump mangle_PRE_FedoraWorkstation_deny
        jump mangle_PRE_FedoraWorkstation_allow
        jump mangle_PRE_FedoraWorkstation_post
    }

    chain mangle_PRE_FedoraWorkstation_pre {
    }

    chain mangle_PRE_FedoraWorkstation_log {
    }

    chain mangle_PRE_FedoraWorkstation_deny {
    }

    chain mangle_PRE_FedoraWorkstation_allow {
    }

    chain mangle_PRE_FedoraWorkstation_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }
}
table ip filter {
    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        iifname "veth-bl-root" oifname "enp1s0" counter packets 3 bytes 252 accept
        iifname "enp1s0" oifname "veth-bl-root" counter packets 3 bytes 252 accept
    }
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 192.168.11.0/24 oifname "enp1s0" counter packets 1 bytes 84 masquerade
    }
}
table inet mullvad {
    chain prerouting {
        type filter hook prerouting priority -199; policy accept;
        iif != "wg0-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
        ip saddr 193.138.218.220 udp sport 16734 meta mark set 0x6d6f6c65
    }

    chain output {
        type filter hook output priority filter; policy drop;
        oif "lo" accept
        ct mark 0x00000f41 accept
        udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
        ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
        ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
        ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
        ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
        ip daddr 193.138.218.220 udp dport 16734 meta mark 0x6d6f6c65 accept
        oif "wg0-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
        oif "wg0-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
        udp dport 53 reject
        tcp dport 53 reject with tcp reset
        oif "wg0-mullvad" accept
        reject
    }

    chain input {
        type filter hook input priority filter; policy drop;
        iif "lo" accept
        ct mark 0x00000f41 accept
        udp sport 67 udp dport 68 accept
        ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
        ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
        ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
        ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
        ip saddr 193.138.218.220 udp sport 16734 ct state established accept
        iif "wg0-mullvad" accept
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
        ct mark 0x00000f41 accept
        udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
        udp sport 67 udp dport 68 accept
        ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
        ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
        ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
        ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
        ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
        ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
        ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
        ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
        icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
        oif "wg0-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
        oif "wg0-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
        udp dport 53 reject
        tcp dport 53 reject with tcp reset
        oif "wg0-mullvad" accept
        iif "wg0-mullvad" ct state established accept
        reject
    }

    chain mangle {
        type route hook output priority mangle; policy accept;
        oif "wg0-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
        oif "wg0-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
        meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }

    chain nat {
        type nat hook postrouting priority srcnat; policy accept;
        oif "wg0-mullvad" ct mark 0x00000f41 drop
        oif != "lo" ct mark 0x00000f41 masquerade
    }
}

标记数据包来自bl

由于 Mullvad 似乎忽略了标有 的数据包0x6d6f6c65，我尝试添加一条规则，在来自 的数据包上加盖该标记bl。

$ sudo nft add rule inet mullvad prerouting ip saddr 192.168.11.2 meta mark set 0x6d6f6c65
$ sudo nft list ruleset | grep mullvad
table inet mullvad {
    chain prerouting {
        type filter hook prerouting priority -199; policy accept;
        iif != "wg0-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
        ip saddr 170.62.100.66 udp sport 10501 meta mark set 0x6d6f6c65
        ip saddr 192.168.11.2 meta mark set 0x6d6f6c65
    }
    ...
}

但这并没有什么作用。

$ ip route get 8.8.8.8 from 192.168.11.2
8.8.8.8 from 192.168.11.2 dev wg0-mullvad table 1836018789 uid 1000 
    cache 

$ sudo ip netns exec bl traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

我是否犯了什么错误，或者我的整个方法是否有缺陷？